Configuring password storage
By default, the passwords for the accounts you add to the Privileged Access Service are stored securely in the Privileged Access Service. If you prefer to store them in a key management appliance or hardware security module appliance—such as an on-site SafeNet KeySecure appliance—you can configure the Privileged Access Service to store and retrieve system passwords using the supported external appliance.
Note that you must have the SafeNet KeySecure appliance installed and configured and available on the network before configuring it for the storage of Privileged Access Service passwords. You can use client certificates created by the Centrify service or a client certificate you have created on your own.
To store passwords in SafeNet KeySecure:
- In the Admin Portal, click Settings, then click Resources to display the settings available for Privileged Access Service.
- Click Password Storage.
If you have not yet configured secure communication between the Centrify connector and the SafeNet KeySecure appliance, click Configure settings for SafeNet KeySecure to open global settings in the administrative portal for the Zero Trust Privileged Access Service. For more information about configuring SafeNet KeySecure to store passwords for Privileged Access Service accounts, see Managing password storage.
Select the location for storing passwords.
For example, select SafeNet KeySecure appliance to store passwords in a SafeNet KeySecure appliance.
Click Save to save the password storage location.
Saving a new password storage location will prompt you to migrate passwords to the new location immediately. Click Yes to migrate all existing passwords. If you click No, only new passwords are stored in the new location. If you click No, you can click Migrate Passwords at a later time to migrate previously stored passwords to the new location.
Specify the email address where you want to receive notification of the migration results, then click Yes.
For more information about checking password migration status, see the following topics: